"Certify" only master key

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jul 31 16:24:39 CEST 2013

On 07/30/2013 07:10 PM, atair wrote:

> What is the advantage of having a certify+sign master key? 

Note that if you have access to the secret key material of the primary
key in an OpenPGP certificate  (what you're calling the "master key"),
there is nothing stopping you from reissuing the certificate itself with
different usage flags set.

So while you can omit usage flags on the primary key as guidance for
other people, that omission does nothing to protect you against an
attacker who manages to compromise your primary key.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20130731/66a9106f/attachment.sig>

More information about the Gnupg-users mailing list